Verifying Safety of a Token Coherence

Implementation by Compositional Parametric

Refinement

Sebastian BurckhardtRajeev Alur

Milo M.K. Martin

University of Pennsylvania

- - 22 - -

Sebastian BSebastian Burckhardturckhardt

Verifying Token Coherence

Token Coherence is a novel approach for multiprocessor memory systems that reconciles the diverging requirements of

performance / cost / verifiability

- - 33 - -

Sebastian BSebastian Burckhardturckhardt

Verifying Token Coherence

Token Coherence is a novel approach for multiprocessor memory systems that reconciles the diverging requirements of

performance / cost / verifiability We develop a compositional method for verifying

Token Coherence Safety and apply it to a detailed implementation we found 7 bugs we demonstrate scalability of the method

- - 44 - -

Sebastian BSebastian Burckhardturckhardt

Related Work

K. L. McMillan. A compositional rule for hardware design refinement compositional assume-guarantee refinement rules for

synchronous process model

M. M. K. Martin. Token Coherence. Our abstract protocol resembles work by

G. Delzanno (state multisets for parametric cache coherence verification)

Arvind and X. W. Shen (term rewriting for functional hardware specifications)

G. Berry and G. Boudol (chemical abstract machine)

- - 55 - -

Sebastian BSebastian Burckhardturckhardt

Background:Shared-Memory Multiprocessor

Processors access the ‘same’ memory (reads and writes to memory addresses)

Processor Processor Processor

MemoryLocation 2

MemoryLocation 1

MemoryLocation 3

Coherent Memory System

- - 66 - -

Sebastian BSebastian Burckhardturckhardt

Coherent Memory

Message-passing interconnection network Processors cache local copies as needed Coherence Protocol prevents access to stale copies

Processor Processor Processor

Cache CacheCache

Directory+ Memory

Directory+ Memory

Directory+ Memory

Interconnection Network

- - 77 - -

Sebastian BSebastian Burckhardturckhardt

Example: Coherence by“Single Writer, Multiple Reader”

C CC

D

N

P1 P2 P3

3

3 3

wants to access and modify the

block

wants to access and modify the

block

have read-only copies

- - 88 - -

Sebastian BSebastian Burckhardturckhardt

Example: Coherence by“Single Writer, Multiple Reader”

C CC

D

N

P1 P2 P3

3

3 3

wants to access and modify the

block

- - 99 - -

Sebastian BSebastian Burckhardturckhardt

Example: Coherence by“Single Writer, Multiple Reader”

C CC

D

N

P1 P2 P3

3

4

has exclusive copy can safely write

- - 1010 - -

Sebastian BSebastian Burckhardturckhardt

Performance, Cost, and Complexity

PerformancePerformance: prefer direct communication to centralized directory (lower cache-to-cache latency)

CostCost: prefer unordered interconnect (e.g. mesh topology)

But this creates complexitycomplexity, i.e. it’s hard to design a protocol that is correct and fast. races need arbitration unordered, asynchronous broadcast creates

unreliable snapshots of the system state

- - 1111 - -

Sebastian BSebastian Burckhardturckhardt

Performance, Cost, and Complexity – Token Coherence

PerformancePerformance: direct communication CostCost: unordered interconnect

ComplexityComplexity: use token counting to guarantee safety.

there is a fixed number of tokens per cache block require one token to read, all tokens to write

use timeouts to guarantee liveness. after timeout, use slower, but reliable mechanism

- - 1212 - -

Sebastian BSebastian Burckhardturckhardt

Performance, Cost, and Complexity – Token Coherence

PerformancePerformance: direct communication CostCost: unordered interconnect

ComplexityComplexity: use token counting to guarantee safety.

there is a fixed number of tokens per cache block require one token to read, all tokens to write

use timeouts to guarantee liveness. after timeout, use slower, but reliable mechanism

allows scalable formal

verification

- - 1313 - -

Sebastian BSebastian Burckhardturckhardt

Tokens help to verify safety Our method is scalable because

it’s compositional --- each component is model-checked individually

it’s parametric --- safety is proved for an arbitrary number of caches

How do we achieve that?

- - 1414 - -

Sebastian BSebastian Burckhardturckhardt

Tokens help to verify safety Our verification method is scalable because

it’s compositional --- each implementation component is model-checked individually

it’s parametric --- safety is proved for an arbitrary number of caches

How do we achieve that? we develop a formal model, the ‘abstract token

protocol’ and prove that it is coherent we check refinement of this abstract protocol in a

compositional and inductive manner.

- - 1515 - -

Sebastian BSebastian Burckhardturckhardt

Token counting rules(these are the original rules)

Basic Rules Fixed number of tokens per cache block Require at least one token for read access. Require all tokens for write access.

Extended (MOESI) Rules One of the tokens is “owner” token Owner token can be clean or dirty

dirty owner token indicates that writeback is needed

C D

- - 1616 - -

Sebastian BSebastian Burckhardturckhardt

We take it one step further:

Abstract Token Protocol Model single cache block only

This is sufficient because the memory system is not required to be sequentially consistent. The only requirement is coherence.

Express all relevant state as tokens use token to represent data value use token to represent the memory value

Express state of components as a token bag (multiset)

v

v

v

D

- - 1717 - -

Sebastian BSebastian Burckhardturckhardt

System components and messages are abstractly modeled as token bags

Bags can split (= send a message)

Bags can fuse (= receive a message)

Bags can perform local reactions

Token Transition System

- - 1818 - -

Sebastian BSebastian Burckhardturckhardt

Rules for a 3-token system

Tokens :Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Rewrite Rules:Rewrite Rules:

Read v

Write w

Memread

Memwrite

Copy

Drop

Invariants:Invariants:

- must have in same bag

- must have in same bagD v

v

v v

v wC/D D

vCv Cv

w Dv Cw

v v v

v

- - 1919 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

- - 2020 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

wants to read

- - 2121 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

wants to read

v1

- - 2222 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

wants to read

v1

- - 2323 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

wants to read

v1

- - 2424 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

wants to read

v1

- - 2525 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

reads v1

v1

- - 2626 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

v1

wants to read

- - 2727 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

v1

wants to read

v1

- - 2828 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

v1

wants to read

v1

- - 2929 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

v1

wants to read

v1

- - 3030 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

v1

wants to read

v1

- - 3131 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

v1

reads v1v1

- - 3232 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

v1

v1

- - 3333 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

v1

wants to

modify

v1

- - 3434 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv1

wants to

modify

v1

- - 3535 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

vC

v1

wants to

modify

v1

- - 3636 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

C

v1

wants to

modify

v1

- - 3737 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

C

v1

wants to

modify

v1

- - 3838 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

C

v1

cannow modify:

adds 1

v1

- - 3939 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

D

v1

v2

wants to

modify

- - 4040 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

D

v1

v2

wants to

modify

- - 4141 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

v1

wants to

modify

D

v2

- - 4242 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

v1

D

v2

wants to

modify

- - 4343 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

v1

can now

modify

Dv2

- - 4444 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

v1

modifies

Dv3

- - 4545 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

D

v1

v3

wants to evict

- - 4646 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

D

v1

v3

- - 4747 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

D

v1

v3

- - 4848 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

vD

v1

v3

- - 4949 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

vD

v1

v3

- - 5050 - -

Sebastian BSebastian Burckhardturckhardt

Abstract Token Protocol: Example

Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Cv3

- - 5151 - -

Sebastian BSebastian Burckhardturckhardt

Rules for a 3-token system

Tokens :Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Rewrite Rules:Rewrite Rules:

Read v

Write w

Memread

Memwrite

Copy

Drop

Invariants:Invariants:

- must have in same bag

- must have in same bagD v

v

v v

v wC/D D

vCv Cv

w Dv Cw

v v v

v

- - 5252 - -

Sebastian BSebastian Burckhardturckhardt

Rules for a 3-token system

Tokens :Tokens :

Regular Token

Clean Owner Token

Dirty Owner Token

Data Token

Memory Token

C

D

v

v

Rewrite Rules:Rewrite Rules:

Read v

Write w

Memread

Memwrite

Copy

Drop

Invariants:Invariants:

- must have in same bag

- must have in same bagD v

v

v v

v wC/D D

vCv Cv

w Dv Cw

v v v

v

We prove by hand that the abstract token

protocol is coherent.

The proof is quite simple because

token bags (multisets) areintuitive to reason about.

- - 5353 - -

Sebastian BSebastian Burckhardturckhardt

What’s next

Formal spec of abstract token protocol Multisets Rewrite rules

Abstract token protocol is coherent Direct proof by hand

Next: we take an actual implementation and do a compositional parametric refinement verification.

- - 5454 - -

Sebastian BSebastian Burckhardturckhardt

The implementation... is fairly low-level

it’s not just about tokens – it contains many microarchitectural details, as it was used for performance simulations

it includes the secondary (liveness) protocol is too big to be efficiently verifiable by purely

manual methods is coded in SLICC

specification language for implementing cache coherence

generates html-formatted overview tables

- - 5555 - -

Sebastian BSebastian Burckhardturckhardt

This is the overview table for the cache controller, generated from the SLICC code by the SLICC compiler.

- - 5656 - -

Sebastian BSebastian Burckhardturckhardt

State

Trigger

Successor State

ActionSequence

Considered Unreachabl

e

- - 5757 - -

Sebastian BSebastian Burckhardturckhardt

SLICC code specifies action sequences to execute for a givenstate & trigger:transition(NP, Ifetch, IS) { pp_allocateL1ICacheBlock; i_allocateTBE; a_issueRequest; uu_profileMiss; k_popMandatoryQueue; }

SLICC code defines each action:action(d_sendDataWithAllTokens, "d") { peek(requestNetwork_in, RequestMsg) { enqueue(responseNetwork_out, ResponseMsg) { out_msg.Address := address; out_msg.Type := DATA_OWNER; out_msg.Sender := id; out_msg.SenderMachine := MachineType:Directory; out_msg.Destination.add(in_msg.Requestor); out_msg.DestMachine := MachineType:L1Cache; assert(directory[address].Tokens > 0); out_msg.Tokens := directory[in_msg.Address].Tokens; out_msg.DataBlk := directory[in_msg.Address].DataBlk; out_msg.Dirty := false; out_msg.MessageSize := MessageSizeType:Response_Data;directory[address].Tokens := 0;}

- - 5858 - -

Sebastian BSebastian Burckhardturckhardt

Why we need compositionality

Verifying refinement of the entire system is beyond the practical limit of model checking too many states for explicit model checker BDDs too complex for symbolic model checker

refines

C3

3

C CC

DN

P1 P2 P3

3

3 3

- - 5959 - -

Sebastian BSebastian Burckhardturckhardt

Verify components individually

refinesCD

4

D refinesC

3

N refines

- - 6060 - -

Sebastian BSebastian Burckhardturckhardt

But... there are some issues

Components make assumptions on the context if the context does not preserve token numbers,

the implementation is not required to refine the specification.

Solution: define contextual refinement

- - 6161 - -

Sebastian BSebastian Burckhardturckhardt

Contextual Refinement

Say: Q is specification, P is implementation

classic refinement: P Q meansany behavior of P is a possible behavior of Q

contextual refinement: P C Q meansany behavior that P can exhibit in context C is a behavior that Q can exhibit in context C

- - 6262 - -

Sebastian BSebastian Burckhardturckhardt

Compositional Proof

If each system component refines theabstract protocol T in context T:

C T T and D T T and N T T

then the entire system refines the abstract protocol:

C | C | C ... | C | N | D T

Proof: uses assume-guarantee proof rules inductively exploits the deep symmetries of abstract protocol T

- - 6363 - -

Sebastian BSebastian Burckhardturckhardt

Formalism(read the paper for more detail on this.)

a process model based on finite traces process = set of traces interleaved concurrency synchronous communication (CCS-style)

contextual refinement we use a direct definition for this process model can handle open and closed refinement

assume-guarantee proof rules can be applied inductively allow us to use context abstraction

- - 6464 - -

Sebastian BSebastian Burckhardturckhardt

Visualization:Abstracting the context

C

3

3

C

3

3

messages and nodes look alike abstract protocol is self-similar: T | T | ... | T = T

means that context can be modeled as single bag

3 3

- - 6565 - -

Sebastian BSebastian Burckhardturckhardt

What’s next?

We discharge the local obligations

C T T D T T N T T

by model checking the implementation

- - 6666 - -

Sebastian BSebastian Burckhardturckhardt

Model checking in Murphi Do translation & abstraction of SLICC

remove non-relevant state introduces non-determinism done by hand

Model the abstract token coherence Model is used both for spec. and context use finite representations of bags

Need correspondence between impl. and spec. We use annotations to guide the model checker

(eliminates existential quantifier from refinement problem)

- - 6767 - -

Sebastian BSebastian Burckhardturckhardt

Found 7 bugs Some debug-only code was not

properly marked as such In four instances, state was updated incorrectly

for the case where the last token was sent was not hit by sim because the ratio tokens vs. nodes was

large in all sim configurations

Dirty bit was updated too often causes superfluous writebacks – is a performance bug would not have been found had we checked for coherence

only, rather than the stronger refinement obligation

Once the above were fixed, the dirty bit was no longer updated often enough

- - 6868 - -

Sebastian BSebastian Burckhardturckhardt

Results

Found 7 bugs note that implementation had been subjected to

extensive simulation Model checking was very resource-efficient

well within reach of Murphi, with room to spare indicates that the method scales to lower-level

implementations

- - 6969 - -

Sebastian BSebastian Burckhardturckhardt

Contributions

We perform a formal verification of a system-level implementation of token coherence

We present a general, formal specification of the safety substrate of token coherence

We demonstrate that the token abstraction makes the verification more scalable

- - 7070 - -

Sebastian BSebastian Burckhardturckhardt

Future Work

We would like to verify liveness. not a priori clear if same framework is beneficial.

We would like to apply token formalisms to other protocols. try to retrofit on existing protocols (e.g. define

virtual tokens) We would like to automate the procedure.

Translation seems automatable Apply algorithms for rewrite logic Eliminate or reduce annotations

- - 7171 - -

Sebastian BSebastian Burckhardturckhardt

Visit my homepage for an extended version of the paper this presentation in ppt format additional resources (e.g. SLICC code)

Thank you for your attention.C

v1

v1